How many years ago did we all learn that you shouldn't separately validate username and password? "Incorrect username" or "Incorrect password" gives away for free, confirmation about the existence of a particular username.
And this is exactly what the wikipedia login page does. https://en.wikipedia.org/w/index.php?title=Special:UserLogin&returnto=Main+Page&error=&fromhttp=1 Gaaahhh!!! In my presentation for CBCrypt, I talk about 2-factor authentication. Slides 12-18 https://github.com/rahvee/CBcrypt/blob/master/Documentation/CBCrypt%20Presentation.pptx?raw=true In the present, every 2-Factor authentication system I've ever seen, including Google, Microsoft, and every bank and credit card that I use... You enter username & password, and then if it's wrong it says "bad username or password," but if you got it right, it says "We have sent you a validation link." Which once again, stupidly validates the correct combination of username & password to a user who is not yet fully authenticated. Worse yet, in many of those systems (Dropbox, I'm looking at you) if you enable 2-Factor and fail to authenticate, you can override using a single factor, such as answering security questions or receiving a password reset email. (Or knowledge of the host_id). In the words of the Great Hubert Farnsworth... "I don't want to live on this planet anymore..."
_______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
